This article will address migrating from hybrid Azure AD to a cloud only configuration. This could be useful if you no longer have a need for an On-Prem AD server, or you if you need more control over user attributes in Office 365. You might have already seen this process in Microsoft forums, but to my knowledge, there hasn’t been a write-up about it. I wanted to write this article to put all the information in one place as a simple how-to.
Disclaimer: This is not Microsoft sanctioned or supported, but it does work at the time this article is published (with caveats noted later in this post).
To give a quick synopsis, it begins by moving your users to an OU that is not part of AD Sync. Once this is completed the users will be marked as deleted in Office 365, then when they are restored in Office 365, they will be marked as In Cloud accounts. Now don’t worry, the deleted user does not lose any data and all mailbox and group settings will return when the user is restored. There is however an issue here, when deleted user accounts are restored, it forces a password change.
The first step in the process should be informing the users that their accounts are being migrated, at least a week in advance, and that their passwords will be reset. Provide them with a temporary password that they can use to log into the account and inform them that they will be forced to change the password at login. It would be best to schedule the migration after hours as mail will not flow to the accounts while they are in the deleted state.
Configuring Azure AD Connect
Now we are ready to begin the actual configuration, first you will need to move the users to a new OU and then filter that OU out of the AD Sync.
- Open Azure AD Connect and select customize synchronization options.
- Under Domain and OU filtering, select the option to sync selected domains and OUs.
- Click the arrow to show all the OUs under your domain and deselect the OU that you moved your users to.
- Go through the remaining steps in AAD Connect and configure all the changes.
- Once the sync has been completed all migrated users will show as deleted in Office 365.
Now we are not ready to restore them just yet. You will find that if you restore them at this point everything will work fine, until AAD Connect runs another sync, then the users will be deleted again. To solve this problem, we need to go back to AAD Connect. This time select the option to Refresh Directory Schema, select the proper domain and configure. Once the sync has completed you will then have to repeat steps 1-4 and customize synchronization options again.
Now you are ready to restore the users in Office 365, you will find the migrated users under the Deleted Users section. Simply select the user and restore it, use the temporary password that was sent out to the users and ensure that the option to change the password at next sign-in is selected. All users should now show up as In Cloud. The users should retain all the same settings as before and all licenses should still be applied.